Timely analysis of event logs from internet-facing servers
Regularly check logs from online servers to quickly spot security issues.
🏛️ Framework
ASD Essential Eight
🧭 Control effect
Detective
🛠️ E8 mitigation strategy
Multi-factor authentication
🔐 Classifications
N/A
🗓️ Official last update
N/A
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
ML2
Event logs from internet-facing servers are analysed in a timely manner to detect cyber security events.
Source: ASD Essential Eight
Plain language
Regularly checking the logs from your internet-facing servers is akin to keeping an eye on your store's front door. If you don't review them frequently, you might miss signs of a cyber attack that could harm your business. By examining these logs promptly, you can catch potential security threats early before they cause severe damage.
Why it matters
If internet-facing server logs aren’t analysed promptly, intrusions and suspicious activity may go unnoticed, increasing the chance of data theft, malware spread or service disruption.
Operational notes
Review internet-facing server logs daily (or near real-time) via SIEM; alert on suspicious auth, web errors and admin changes, and escalate confirmed incidents within defined timeframes.
Implementation tips
- Security officer: Establish a schedule for when event logs should be analysed, ensuring it's a regular task.
- IT team: Set up automated alerts for unusual activity in event logs from internet-facing servers to ensure prompt detection.
- System administrator: Use a log management tool to collect and consolidate logs, making analysis more efficient.
- IT manager: Allocate resources and time for staff to analyse event logs consistently as part of their routine duties.
Audit / evidence tips
-
Ask: How often are the logs from your internet-facing servers reviewed?
-
Good: Logs are reviewed daily or weekly, with a set schedule visible
-
Ask: What happens if an unusual event is detected in the logs?
-
Good: There is a clear, documented process to investigate abnormal log entries, with past examples of successful resolution
Cross-framework mappings
How E8-MF-ML2.8 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 8.15 | E8-MF-ML2.8 requires timely analysis of event logs specifically from internet-facing servers to detect cyber security events | |
| Annex A 8.16 | E8-MF-ML2.8 focuses on timely analysis of event logs from internet-facing servers to detect cyber security events | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| ISM-1228 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| Partially overlaps (2) | ||
| ISM-1907 | ISM-1907 requires timely analysis of logs from non-internet-facing servers to detect cyber security events | |
| ISM-1986 | ISM-1986 requires event logs from critical servers to be analysed in a timely manner to detect cyber security events | |
| Supports (1) | ||
| ISM-0580 | ISM-0580 requires an organisation to develop, implement and maintain an event logging policy to ensure events are recorded and monitored | |
| Depends on (2) | ||
| ISM-1405 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| ISM-1978 | E8-MF-ML2.8 requires timely analysis of event logs from internet-facing servers to detect cyber security events | |
| Related (2) | ||
| ISM-1906 | ISM-1906 requires event logs from internet-facing servers to be analysed in a timely manner to detect cyber security events | |
| ISM-1987 | ISM-1987 requires event logs from security products to be analysed in a timely manner to detect cyber security events | |